2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
125 s->servername_done = 1;
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
142 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
143 X509 *x, size_t chainidx, int *al)
147 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
148 *al = TLS1_AD_DECODE_ERROR;
152 /* Received |value| should be a valid max-fragment-length code. */
153 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
154 *al = SSL_AD_ILLEGAL_PARAMETER;
159 * RFC 6066: The negotiated length applies for the duration of the session
160 * including session resumptions.
161 * We should receive the same code as in resumed session !
163 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
164 *al = SSL_AD_ILLEGAL_PARAMETER;
169 * Store it in session, so it'll become binding for us
170 * and we'll include it in a next Server Hello.
172 s->session->ext.max_fragment_len_mode = value;
176 #ifndef OPENSSL_NO_SRP
177 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
178 size_t chainidx, int *al)
182 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
183 || PACKET_contains_zero_byte(&srp_I)) {
184 *al = SSL_AD_DECODE_ERROR;
189 * TODO(openssl-team): currently, we re-authenticate the user
190 * upon resumption. Instead, we MUST ignore the login.
192 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
193 *al = SSL_AD_INTERNAL_ERROR;
201 #ifndef OPENSSL_NO_EC
202 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
203 X509 *x, size_t chainidx, int *al)
205 PACKET ec_point_format_list;
207 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
208 || PACKET_remaining(&ec_point_format_list) == 0) {
209 *al = SSL_AD_DECODE_ERROR;
214 if (!PACKET_memdup(&ec_point_format_list,
215 &s->session->ext.ecpointformats,
216 &s->session->ext.ecpointformats_len)) {
217 *al = SSL_AD_INTERNAL_ERROR;
224 #endif /* OPENSSL_NO_EC */
226 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
229 if (s->ext.session_ticket_cb &&
230 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
231 PACKET_remaining(pkt),
232 s->ext.session_ticket_cb_arg)) {
233 *al = SSL_AD_INTERNAL_ERROR;
240 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
241 size_t chainidx, int *al)
243 PACKET supported_sig_algs;
245 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
246 || PACKET_remaining(&supported_sig_algs) == 0) {
247 *al = SSL_AD_DECODE_ERROR;
251 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
252 *al = SSL_AD_DECODE_ERROR;
259 #ifndef OPENSSL_NO_OCSP
260 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
261 X509 *x, size_t chainidx, int *al)
263 PACKET responder_id_list, exts;
265 /* Not defined if we get one of these in a client Certificate */
269 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
270 *al = SSL_AD_DECODE_ERROR;
274 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
276 * We don't know what to do with any other type so ignore it.
278 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
282 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
283 *al = SSL_AD_DECODE_ERROR;
288 * We remove any OCSP_RESPIDs from a previous handshake
289 * to prevent unbounded memory growth - CVE-2016-6304
291 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
292 if (PACKET_remaining(&responder_id_list) > 0) {
293 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
294 if (s->ext.ocsp.ids == NULL) {
295 *al = SSL_AD_INTERNAL_ERROR;
299 s->ext.ocsp.ids = NULL;
302 while (PACKET_remaining(&responder_id_list) > 0) {
305 const unsigned char *id_data;
307 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
308 || PACKET_remaining(&responder_id) == 0) {
309 *al = SSL_AD_DECODE_ERROR;
313 id_data = PACKET_data(&responder_id);
314 /* TODO(size_t): Convert d2i_* to size_t */
315 id = d2i_OCSP_RESPID(NULL, &id_data,
316 (int)PACKET_remaining(&responder_id));
318 *al = SSL_AD_DECODE_ERROR;
322 if (id_data != PACKET_end(&responder_id)) {
323 OCSP_RESPID_free(id);
324 *al = SSL_AD_DECODE_ERROR;
328 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
329 OCSP_RESPID_free(id);
330 *al = SSL_AD_INTERNAL_ERROR;
335 /* Read in request_extensions */
336 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
337 *al = SSL_AD_DECODE_ERROR;
341 if (PACKET_remaining(&exts) > 0) {
342 const unsigned char *ext_data = PACKET_data(&exts);
344 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
345 X509_EXTENSION_free);
347 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
348 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
349 *al = SSL_AD_DECODE_ERROR;
358 #ifndef OPENSSL_NO_NEXTPROTONEG
359 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
360 size_t chainidx, int *al)
363 * We shouldn't accept this extension on a
366 if (SSL_IS_FIRST_HANDSHAKE(s))
374 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
375 * extension, not including type and length. |al| is a pointer to the alert
376 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
378 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
379 size_t chainidx, int *al)
381 PACKET protocol_list, save_protocol_list, protocol;
383 if (!SSL_IS_FIRST_HANDSHAKE(s))
386 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
387 || PACKET_remaining(&protocol_list) < 2) {
388 *al = SSL_AD_DECODE_ERROR;
392 save_protocol_list = protocol_list;
394 /* Protocol names can't be empty. */
395 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
396 || PACKET_remaining(&protocol) == 0) {
397 *al = SSL_AD_DECODE_ERROR;
400 } while (PACKET_remaining(&protocol_list) != 0);
402 OPENSSL_free(s->s3->alpn_proposed);
403 s->s3->alpn_proposed = NULL;
404 s->s3->alpn_proposed_len = 0;
405 if (!PACKET_memdup(&save_protocol_list,
406 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
407 *al = SSL_AD_INTERNAL_ERROR;
414 #ifndef OPENSSL_NO_SRTP
415 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
416 size_t chainidx, int *al)
418 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
419 unsigned int ct, mki_len, id;
423 /* Ignore this if we have no SRTP profiles */
424 if (SSL_get_srtp_profiles(s) == NULL)
427 /* Pull off the length of the cipher suite list and check it is even */
428 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
429 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
430 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
431 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
432 *al = SSL_AD_DECODE_ERROR;
436 srvr = SSL_get_srtp_profiles(s);
437 s->srtp_profile = NULL;
438 /* Search all profiles for a match initially */
439 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
441 while (PACKET_remaining(&subpkt)) {
442 if (!PACKET_get_net_2(&subpkt, &id)) {
443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
444 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
445 *al = SSL_AD_DECODE_ERROR;
450 * Only look for match in profiles of higher preference than
452 * If no profiles have been have been configured then this
455 for (i = 0; i < srtp_pref; i++) {
456 SRTP_PROTECTION_PROFILE *sprof =
457 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
459 if (sprof->id == id) {
460 s->srtp_profile = sprof;
467 /* Now extract the MKI value as a sanity check, but discard it for now */
468 if (!PACKET_get_1(pkt, &mki_len)) {
469 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
470 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
471 *al = SSL_AD_DECODE_ERROR;
475 if (!PACKET_forward(pkt, mki_len)
476 || PACKET_remaining(pkt)) {
477 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
478 *al = SSL_AD_DECODE_ERROR;
486 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
487 size_t chainidx, int *al)
489 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
496 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
497 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
498 * If a failure occurs then |*al| is set to an appropriate alert value.
500 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
501 X509 *x, size_t chainidx, int *al)
503 #ifndef OPENSSL_NO_TLS1_3
504 PACKET psk_kex_modes;
507 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
508 || PACKET_remaining(&psk_kex_modes) == 0) {
509 *al = SSL_AD_DECODE_ERROR;
513 while (PACKET_get_1(&psk_kex_modes, &mode)) {
514 if (mode == TLSEXT_KEX_MODE_KE_DHE)
515 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
516 else if (mode == TLSEXT_KEX_MODE_KE
517 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
518 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
526 * Process a key_share extension received in the ClientHello. |pkt| contains
527 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
528 * If a failure occurs then |*al| is set to an appropriate alert value.
530 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
531 size_t chainidx, int *al)
533 #ifndef OPENSSL_NO_TLS1_3
534 unsigned int group_id;
535 PACKET key_share_list, encoded_pt;
536 const uint16_t *clntgroups, *srvrgroups;
537 size_t clnt_num_groups, srvr_num_groups;
540 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
544 if (s->s3->peer_tmp != NULL) {
545 *al = SSL_AD_INTERNAL_ERROR;
546 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
550 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
551 *al = SSL_AD_DECODE_ERROR;
552 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
556 /* Get our list of supported groups */
557 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
558 /* Get the clients list of supported groups. */
559 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
560 if (clnt_num_groups == 0) {
562 * This can only happen if the supported_groups extension was not sent,
563 * because we verify that the length is non-zero when we process that
566 *al = SSL_AD_MISSING_EXTENSION;
567 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
568 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
572 while (PACKET_remaining(&key_share_list) > 0) {
573 if (!PACKET_get_net_2(&key_share_list, &group_id)
574 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
575 || PACKET_remaining(&encoded_pt) == 0) {
576 *al = SSL_AD_DECODE_ERROR;
577 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
578 SSL_R_LENGTH_MISMATCH);
583 * If we already found a suitable key_share we loop through the
584 * rest to verify the structure, but don't process them.
589 /* Check if this share is in supported_groups sent from client */
590 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
591 *al = SSL_AD_ILLEGAL_PARAMETER;
592 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
596 /* Check if this share is for a group we can use */
597 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
598 /* Share not suitable */
602 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
603 *al = SSL_AD_INTERNAL_ERROR;
604 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
605 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
609 s->s3->group_id = group_id;
611 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
612 PACKET_data(&encoded_pt),
613 PACKET_remaining(&encoded_pt))) {
614 *al = SSL_AD_ILLEGAL_PARAMETER;
615 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
626 #ifndef OPENSSL_NO_EC
627 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
628 X509 *x, size_t chainidx, int *al)
630 PACKET supported_groups_list;
632 /* Each group is 2 bytes and we must have at least 1. */
633 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
634 || PACKET_remaining(&supported_groups_list) == 0
635 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
636 *al = SSL_AD_DECODE_ERROR;
640 if (!s->hit || SSL_IS_TLS13(s)) {
641 OPENSSL_free(s->session->ext.supportedgroups);
642 s->session->ext.supportedgroups = NULL;
643 s->session->ext.supportedgroups_len = 0;
644 if (!tls1_save_u16(&supported_groups_list,
645 &s->session->ext.supportedgroups,
646 &s->session->ext.supportedgroups_len)) {
647 *al = SSL_AD_INTERNAL_ERROR;
656 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
657 size_t chainidx, int *al)
659 /* The extension must always be empty */
660 if (PACKET_remaining(pkt) != 0) {
661 *al = SSL_AD_DECODE_ERROR;
665 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
671 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
672 X509 *x, size_t chainidx, int *al)
674 if (PACKET_remaining(pkt) != 0) {
675 *al = SSL_AD_DECODE_ERROR;
679 if (s->hello_retry_request) {
680 *al = SSL_AD_ILLEGAL_PARAMETER;
687 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
688 size_t chainidx, int *al)
690 PACKET identities, binders, binder;
691 size_t binderoffset, hashsize;
692 SSL_SESSION *sess = NULL;
693 unsigned int id, i, ext = 0;
694 const EVP_MD *md = NULL;
697 * If we have no PSK kex mode that we recognise then we can't resume so
698 * ignore this extension
700 if ((s->ext.psk_kex_mode
701 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
704 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
705 *al = SSL_AD_DECODE_ERROR;
709 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
711 unsigned long ticket_agel;
713 if (!PACKET_get_length_prefixed_2(&identities, &identity)
714 || !PACKET_get_net_4(&identities, &ticket_agel)) {
715 *al = SSL_AD_DECODE_ERROR;
719 if (s->psk_find_session_cb != NULL
720 && !s->psk_find_session_cb(s, PACKET_data(&identity),
721 PACKET_remaining(&identity),
723 *al = SSL_AD_INTERNAL_ERROR;
729 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
731 if (sesstmp == NULL) {
732 *al = SSL_AD_INTERNAL_ERROR;
735 SSL_SESSION_free(sess);
739 * We've just been told to use this session for this context so
740 * make sure the sid_ctx matches up.
742 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
743 sess->sid_ctx_length = s->sid_ctx_length;
746 s->ext.early_data_ok = 1;
748 uint32_t ticket_age = 0, now, agesec, agems;
749 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
750 PACKET_remaining(&identity), NULL, 0,
753 if (ret == TICKET_FATAL_ERR_MALLOC
754 || ret == TICKET_FATAL_ERR_OTHER) {
755 *al = SSL_AD_INTERNAL_ERROR;
758 if (ret == TICKET_NO_DECRYPT)
761 ticket_age = (uint32_t)ticket_agel;
762 now = (uint32_t)time(NULL);
763 agesec = now - (uint32_t)sess->time;
764 agems = agesec * (uint32_t)1000;
765 ticket_age -= sess->ext.tick_age_add;
768 * For simplicity we do our age calculations in seconds. If the
769 * client does it in ms then it could appear that their ticket age
770 * is longer than ours (our ticket age calculation should always be
771 * slightly longer than the client's due to the network latency).
772 * Therefore we add 1000ms to our age calculation to adjust for
776 && sess->timeout >= (long)agesec
777 && agems / (uint32_t)1000 == agesec
778 && ticket_age <= agems + 1000
779 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
781 * Ticket age is within tolerance and not expired. We allow it
784 s->ext.early_data_ok = 1;
788 md = ssl_md(sess->cipher->algorithm2);
789 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
790 /* The ciphersuite is not compatible with this session. */
791 SSL_SESSION_free(sess);
793 s->ext.early_data_ok = 0;
802 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
803 hashsize = EVP_MD_size(md);
805 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
806 *al = SSL_AD_DECODE_ERROR;
810 for (i = 0; i <= id; i++) {
811 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
812 *al = SSL_AD_DECODE_ERROR;
817 if (PACKET_remaining(&binder) != hashsize
818 || tls_psk_do_binder(s, md,
819 (const unsigned char *)s->init_buf->data,
820 binderoffset, PACKET_data(&binder), NULL,
821 sess, 0, ext) != 1) {
822 *al = SSL_AD_DECODE_ERROR;
823 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
827 sess->ext.tick_identity = id;
829 SSL_SESSION_free(s->session);
833 SSL_SESSION_free(sess);
838 * Add the server's renegotiation binding
840 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
841 unsigned int context, X509 *x,
842 size_t chainidx, int *al)
844 if (!s->s3->send_connection_binding)
845 return EXT_RETURN_NOT_SENT;
847 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
848 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
849 || !WPACKET_start_sub_packet_u16(pkt)
850 || !WPACKET_start_sub_packet_u8(pkt)
851 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
852 s->s3->previous_client_finished_len)
853 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
854 s->s3->previous_server_finished_len)
855 || !WPACKET_close(pkt)
856 || !WPACKET_close(pkt)) {
857 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
858 return EXT_RETURN_FAIL;
861 return EXT_RETURN_SENT;
864 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
865 unsigned int context, X509 *x,
866 size_t chainidx, int *al)
868 if (s->hit || s->servername_done != 1
869 || s->session->ext.hostname == NULL)
870 return EXT_RETURN_NOT_SENT;
872 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
873 || !WPACKET_put_bytes_u16(pkt, 0)) {
874 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
875 return EXT_RETURN_FAIL;
878 return EXT_RETURN_SENT;
881 /* Add/include the server's max fragment len extension into ServerHello */
882 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
883 unsigned int context, X509 *x,
884 size_t chainidx, int *al)
886 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
887 return EXT_RETURN_NOT_SENT;
890 * 4 bytes for this extension type and extension length
891 * 1 byte for the Max Fragment Length code value.
893 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
894 || !WPACKET_start_sub_packet_u16(pkt)
895 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
896 || !WPACKET_close(pkt)) {
897 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
898 return EXT_RETURN_FAIL;
901 return EXT_RETURN_SENT;
904 #ifndef OPENSSL_NO_EC
905 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
906 unsigned int context, X509 *x,
907 size_t chainidx, int *al)
909 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
910 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
911 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
912 && (s->session->ext.ecpointformats != NULL);
913 const unsigned char *plist;
917 return EXT_RETURN_NOT_SENT;
919 tls1_get_formatlist(s, &plist, &plistlen);
920 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
921 || !WPACKET_start_sub_packet_u16(pkt)
922 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
923 || !WPACKET_close(pkt)) {
924 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
925 return EXT_RETURN_FAIL;
928 return EXT_RETURN_SENT;
932 #ifndef OPENSSL_NO_EC
933 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
934 unsigned int context, X509 *x,
935 size_t chainidx, int *al)
937 const uint16_t *groups;
938 size_t numgroups, i, first = 1;
940 /* s->s3->group_id is non zero if we accepted a key_share */
941 if (s->s3->group_id == 0)
942 return EXT_RETURN_NOT_SENT;
944 /* Get our list of supported groups */
945 tls1_get_supported_groups(s, &groups, &numgroups);
946 if (numgroups == 0) {
947 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
948 return EXT_RETURN_FAIL;
951 /* Copy group ID if supported */
952 for (i = 0; i < numgroups; i++) {
953 uint16_t group = groups[i];
955 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
958 * Check if the client is already using our preferred group. If
959 * so we don't need to add this extension
961 if (s->s3->group_id == group)
962 return EXT_RETURN_NOT_SENT;
964 /* Add extension header */
965 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
966 /* Sub-packet for supported_groups extension */
967 || !WPACKET_start_sub_packet_u16(pkt)
968 || !WPACKET_start_sub_packet_u16(pkt)) {
969 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
970 ERR_R_INTERNAL_ERROR);
971 return EXT_RETURN_FAIL;
976 if (!WPACKET_put_bytes_u16(pkt, group)) {
977 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
978 ERR_R_INTERNAL_ERROR);
979 return EXT_RETURN_FAIL;
984 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
985 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
986 return EXT_RETURN_FAIL;
989 return EXT_RETURN_SENT;
993 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
994 unsigned int context, X509 *x,
995 size_t chainidx, int *al)
997 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
998 s->ext.ticket_expected = 0;
999 return EXT_RETURN_NOT_SENT;
1002 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1003 || !WPACKET_put_bytes_u16(pkt, 0)) {
1004 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1005 return EXT_RETURN_FAIL;
1008 return EXT_RETURN_SENT;
1011 #ifndef OPENSSL_NO_OCSP
1012 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1013 unsigned int context, X509 *x,
1014 size_t chainidx, int *al)
1016 if (!s->ext.status_expected)
1017 return EXT_RETURN_NOT_SENT;
1019 if (SSL_IS_TLS13(s) && chainidx != 0)
1020 return EXT_RETURN_NOT_SENT;
1022 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1023 || !WPACKET_start_sub_packet_u16(pkt)) {
1024 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1025 return EXT_RETURN_FAIL;
1029 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1030 * send back an empty extension, with the certificate status appearing as a
1033 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1034 || !WPACKET_close(pkt)) {
1035 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1036 return EXT_RETURN_FAIL;
1039 return EXT_RETURN_SENT;
1043 #ifndef OPENSSL_NO_NEXTPROTONEG
1044 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1045 unsigned int context, X509 *x,
1046 size_t chainidx, int *al)
1048 const unsigned char *npa;
1049 unsigned int npalen;
1051 int npn_seen = s->s3->npn_seen;
1053 s->s3->npn_seen = 0;
1054 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1055 return EXT_RETURN_NOT_SENT;
1057 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1058 s->ctx->ext.npn_advertised_cb_arg);
1059 if (ret == SSL_TLSEXT_ERR_OK) {
1060 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1061 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1062 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1063 ERR_R_INTERNAL_ERROR);
1064 return EXT_RETURN_FAIL;
1066 s->s3->npn_seen = 1;
1069 return EXT_RETURN_SENT;
1073 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1074 X509 *x, size_t chainidx, int *al)
1076 if (s->s3->alpn_selected == NULL)
1077 return EXT_RETURN_NOT_SENT;
1079 if (!WPACKET_put_bytes_u16(pkt,
1080 TLSEXT_TYPE_application_layer_protocol_negotiation)
1081 || !WPACKET_start_sub_packet_u16(pkt)
1082 || !WPACKET_start_sub_packet_u16(pkt)
1083 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1084 s->s3->alpn_selected_len)
1085 || !WPACKET_close(pkt)
1086 || !WPACKET_close(pkt)) {
1087 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1088 return EXT_RETURN_FAIL;
1091 return EXT_RETURN_SENT;
1094 #ifndef OPENSSL_NO_SRTP
1095 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1096 unsigned int context, X509 *x,
1097 size_t chainidx, int *al)
1099 if (s->srtp_profile == NULL)
1100 return EXT_RETURN_NOT_SENT;
1102 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1103 || !WPACKET_start_sub_packet_u16(pkt)
1104 || !WPACKET_put_bytes_u16(pkt, 2)
1105 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1106 || !WPACKET_put_bytes_u8(pkt, 0)
1107 || !WPACKET_close(pkt)) {
1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1109 return EXT_RETURN_FAIL;
1112 return EXT_RETURN_SENT;
1116 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1117 X509 *x, size_t chainidx, int *al)
1119 if (!s->ext.use_etm)
1120 return EXT_RETURN_NOT_SENT;
1123 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1124 * for other cases too.
1126 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1127 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1128 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1129 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1131 return EXT_RETURN_NOT_SENT;
1134 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1135 || !WPACKET_put_bytes_u16(pkt, 0)) {
1136 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1137 return EXT_RETURN_FAIL;
1140 return EXT_RETURN_SENT;
1143 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1144 X509 *x, size_t chainidx, int *al)
1146 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1147 return EXT_RETURN_NOT_SENT;
1149 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1150 || !WPACKET_put_bytes_u16(pkt, 0)) {
1151 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1152 return EXT_RETURN_FAIL;
1155 return EXT_RETURN_SENT;
1158 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1159 unsigned int context, X509 *x,
1160 size_t chainidx, int *al)
1162 #ifndef OPENSSL_NO_TLS1_3
1163 unsigned char *encodedPoint;
1164 size_t encoded_pt_len = 0;
1165 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1168 /* No key_share received from client */
1169 if (s->hello_retry_request) {
1170 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1171 || !WPACKET_start_sub_packet_u16(pkt)
1172 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1173 || !WPACKET_close(pkt)) {
1174 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1175 ERR_R_INTERNAL_ERROR);
1176 return EXT_RETURN_FAIL;
1179 return EXT_RETURN_SENT;
1182 /* Must be resuming. */
1183 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1184 *al = SSL_AD_INTERNAL_ERROR;
1185 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1186 return EXT_RETURN_FAIL;
1188 return EXT_RETURN_NOT_SENT;
1191 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1192 || !WPACKET_start_sub_packet_u16(pkt)
1193 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1194 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1195 return EXT_RETURN_FAIL;
1198 skey = ssl_generate_pkey(ckey);
1200 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1201 return EXT_RETURN_FAIL;
1204 /* Generate encoding of server key */
1205 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1206 if (encoded_pt_len == 0) {
1207 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1208 EVP_PKEY_free(skey);
1209 return EXT_RETURN_FAIL;
1212 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1213 || !WPACKET_close(pkt)) {
1214 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1215 EVP_PKEY_free(skey);
1216 OPENSSL_free(encodedPoint);
1217 return EXT_RETURN_FAIL;
1219 OPENSSL_free(encodedPoint);
1221 /* This causes the crypto state to be updated based on the derived keys */
1222 s->s3->tmp.pkey = skey;
1223 if (ssl_derive(s, skey, ckey, 1) == 0) {
1224 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1225 return EXT_RETURN_FAIL;
1229 return EXT_RETURN_SENT;
1232 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1233 unsigned int context, X509 *x,
1234 size_t chainidx, int *al)
1236 const unsigned char cryptopro_ext[36] = {
1237 0xfd, 0xe8, /* 65000 */
1238 0x00, 0x20, /* 32 bytes length */
1239 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1240 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1241 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1242 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1245 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1246 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1247 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1248 return EXT_RETURN_NOT_SENT;
1250 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1251 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1252 return EXT_RETURN_FAIL;
1255 return EXT_RETURN_SENT;
1258 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1259 unsigned int context, X509 *x,
1260 size_t chainidx, int *al)
1262 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1263 if (s->max_early_data == 0)
1264 return EXT_RETURN_NOT_SENT;
1266 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1267 || !WPACKET_start_sub_packet_u16(pkt)
1268 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1269 || !WPACKET_close(pkt)) {
1270 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1271 return EXT_RETURN_FAIL;
1274 return EXT_RETURN_SENT;
1277 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1278 return EXT_RETURN_NOT_SENT;
1280 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1281 || !WPACKET_start_sub_packet_u16(pkt)
1282 || !WPACKET_close(pkt)) {
1283 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1284 return EXT_RETURN_FAIL;
1287 return EXT_RETURN_SENT;
1290 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1291 X509 *x, size_t chainidx, int *al)
1294 return EXT_RETURN_NOT_SENT;
1296 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1297 || !WPACKET_start_sub_packet_u16(pkt)
1298 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1299 || !WPACKET_close(pkt)) {
1300 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1301 return EXT_RETURN_FAIL;
1304 return EXT_RETURN_SENT;